Feds Realize That Exploiting A Bug In Casino Video Poker Software Is Not Hacking And Not A CFAA Violation

from the about-time dept

For years, we've talked about how casinos were able to get away with not paying people who won jackpots from electronic gambling machines, by claiming that their wins were really because of software glitches. That always seemed like a highly questionable practice, but even more questionable was filing criminal charges against winners who won because of those glitches. We talked about one such case back in 2007, and then another one in early 2011. That 2011 case involved two guys, John Kane and Andre Nestor, who had figured out a bug in some video poker software from International Game Technology, a gaming giant.

The bug was very complex. It involved a series of different steps that had to be taken: play one game on the machine until you have a high payout, then switch to a different game, play until an option popped up to "double up" (basically a double or nothing proposition on a "high card wins" bet), then add more money to the machine, exit the specific game, change the denomination amount to the game maximum, and then switch back to the original game played. At that point the high payout from the initial round shows, allowing that amount to be re-awarded. On top of that, it would recalculate the award by the new denomination level, often increasing the "payout" by 10x.

Apparently Kane discovered this bug by accident from playing a ridiculous amount of video poker. His lawyer claims that Kane was obsessed with video poker and probably played it more than anyone. He also insists that there was no research or effort that went into this. It was just a fluke from playing so often that Kane found the bug -- and then got his buddy Nestor (and a few others) involved in using this bug to win an awful lot of money. When Nestor was arrested, he was reasonably angry about the whole thing:

“I’m being arrested federally for winning on a slot machine,” he said. “It’s just like if someone taught you how to count cards, which we all know is not illegal. You know. Someone told me that there are machines that had programming that gave a player an advantage over the house. And that’s all there is to it.…

“Who would not win as much money as they could on a machine that says, ‘Jackpot’? That’s the whole idea!”

The feds, of course, hit them with CFAA (Computer Fraud and Abuse Act) charges, the same highly questionable hacking law we've been writing so much about lately. The feds argued that Kane and Nestor "exceeded authorized access" -- one of the most troubling parts of the CFAA. The DOJ argued that:

In short, the casinos authorized defendants to play video poker. What the casinos did not do was to authorize defendants ‘to obtain or alter information’ such as previously played hands of cards. To allow customers to access previously played hands of cards, at will, would remove the element of chance and obviate the whole purpose of gambling. It would certainly be contrary to the rules of poker.

However, the court was skeptical of this argument, and after the 9th Circuit's ruling in last year's case against David Nosal, where they said that merely violating an employer's computer use policy did not mean you had exceeded authorized access, the court asked the DOJ to explain how the CFAA still applied in light of the Nosal ruling.

Apparently, the DOJ realized that the CFAA charges no longer made sense and, yesterday afternoon dropped those charges. In a simple filing with no explanation, the DOJ asks the court to dismiss the two CFAA-related charges in the indictment. Kane and Nestor still face a single wire fraud charge, but that's much less of a threat than the CFAA charges. At the very least, it's good to see increasing pushback on the DOJ for its regular abuse of the CFAA to pile on charges.

Reader Comments

This case is another example of the DOJ doing the work of a large corporation with no interest to the actual law. The issue here shouldn't be with the guys that were exploiting the bug, the casino(s) should be pursuing the issue with the company that wrote the software in civil court.

Re:

Re:

The exploiters did not exceed the authorized limit of their usage. They did not install files on the machine or otherwise modify it. They did not touch buttons or knobs that they were not allowed to touch. They did not feed the machine a properly malformed sequence of bytes which was designed to trick it into doing something it wasn't designed to do.

Not what I would call "textbook example of hacking". Now THIS is a textbook example of hacking. But it isn't criminal so long as you have authorized access to the machine that you exploit.

Re: Re:

Well that's silly. By this definition, if you did it with the access you were provided, you did not excede the authority limit of the usage. If you are able to install files (by exploiting from rootkit bug or whatever) then it is within your authorized limit.

They did in fact, do exactly what you say here:
"did not feed the machine a properly malformed sequence of bytes which was designed to trick it into doing something it wasn't designed to do"

This is exactly what was done. They gave it a sequence of input (which will eventually be translated to bytes, not that the bit organization matters to anything) that was specifically designed to trick the system into doing something it wasn't designed to do.

Re: Re: Re:

No, *they* did not create those bytes. The developer of the machine they were exploiting created those bytes by virtue of the program on the machine. Look at that link again - iZsh is actually writing those bytes himself (or rather, his compiler generates the bytes, but the point is, he is writing the code that eventually results in generated bytes of information). Those who exploited the video poker software wrote no bytes themselves.

You may need to brush up on your terminology. A rootkit is installed by someone who does not have authorized access to the machine. If you had authorized access, you wouldn't need the rootkit! In fact, the very act of installing files can be considered exceeding authorized access if you were not authorized to install files on that machine.

In contrast, the individuals caught exploiting this bug were authorized to push the buttons they were pushing. No one said they were not authorized to push those buttons in some specific order. They did not impersonate anyone by pushing those buttons. They did not engage in privilege escalation to have access to the system that they were not authorized to have.

Re: Re: Re:

I would also argue that whether or not the video poker software does what the original developer intended for it to do is entirely separate from what it was designed to do. Computers do exactly what programmers tell them to do.

The video poker machine did exactly what it was designed to do. Users press the buttons that the casino allows them to press. Software processes the button presses. When certain conditions are met, money spews forth. This is the design and this is what happened.

Had the developer screwed up the odds and the machine had started to pay out far more than was intended, do you think the casino would have grounds for telling the winners "sorry, you were exploiting a bug in the software, give back your winnings"?

Re:

Yet another reason why you'd be an idiot to waste your time and money gambling at a casino.

If you start to win serious amounts of money you get kicked out of the Casino, or arrested in this case.

If you lose (which you're highly likely to, as all the games are statistically rigged against you, so that the longer you play the more likely you are to lose money) then they won't kick you out, because you're their ATM.

Re:

I remember during the "Love is in the Air" event a couple of years ago in WoW. They had just redone the event, and you could collect these 'charms' when killing mobs.

It took 10 charms to make a bracelet and it took hundreds of these bracelets to buy things in game (pets, mounts, stuff needed for all of the achievements.)

Not every mob killed resulted in a charm being obtained, so farming these charms (which were Bind on Pickup...the bracelets were able to be sold on the AH..) required a fast repopulating mob that was easy to kill.

I remember it like yesterday....

There is a raid named "Ulduar" that has this vehicle mechanic at the beginning in which there are pillars of Dark Iron dwarves that constantly spawn until you use the vehicles to break down the pillars.

You guessed it, just killing the Dark Iron dwarves themselves spawned these charms like crazy.

4 people, 4 vehicles (because you needed a raid to go in there, and you could get charms for when other people killed something as well.)

Re: Re:

Blizzard deals with most game exploits the easy way: account ban or suspension, depending on severity and how quick they hotfixed it. To my knowledge, Blizz has only gone legal against players for modifying the game client's code and hosting private World of Warcraft servers (the latter for attracting unsubscribed players, IIRC).

Quite obscure complex bug = anomaly!

I guess that Mike is sorta right. Throw him a bone. -- IF the facts hold up as stated, but the bug sounds so complex that I can't believe was found by playing. -- OR if so, then I've no sympathy for an addicted gambler.

Whatever. Main point is that this affects, as anomalies do, only the few involved.

Re: Quite obscure complex bug = anomaly!

If have found complex bugs in computer games I enjoy playing. I see it no differently then him and video poker. The fact that you have no sympathy for a person being charge for a crime that doesn't apply is no surprise though.

Re: Quite obscure complex bug = anomaly!

"The bug was very complex. It involved a series of different steps that had to be taken: play one game on the machine until you have a high payout, then switch to a different game, play until an option popped up to "double up" (basically a double or nothing proposition on a "high card wins" bet), then add more money to the machine, exit the specific game, change the denomination amount to the game maximum, and then switch back to the original game played. At that point the high payout from the initial round shows, allowing that amount to be re-awarded. On top of that, it would recalculate the award by the new denomination level, often increasing the "payout" by 10x. "

So blue, wanna tell me which, if any, of those steps is illegal? I'll give you a hint. The answer is spelled N-O-N-E.

Were the machines inspected?

If he stumbled across the bug is one thing. Now if a software developer intentially placed it there to be exploited is another. Hopefully, the gaming board inspected this and several of these machine types to detetmine if there was tampering before charges were filed.

Kane and Nestor still face a single wire fraud charge, but that's much less of a threat than the CFAA charges.

Wire fraud under Section 1349: "shall be fined under this title or imprisoned not more than 20 years, or both." The CFAA charges were either 5 or 10 years. How is wire fraud "much less of a threat than the CFAA charges"? I know you like evidence, so what's yours for making this claim?

Where's the line?

I think there's an interesting gray area here about just when an exploit becomes criminal.

If a slot machine had a bug that erroneously resulted in a jackpot payout every time you played, you'd hardly be a criminal for playing that machine.

On the other hand if the bug is more complex, such that say you had to push a long sequence of buttons in a precise order to force the machine into some sort of test mode, from which you could then force a payout, that seems to cross a line. What if you only knew about this because you had detailed inside knowledge of the machines (but had not planted the bug yourself)? What if you had this knowledge not as an insider, but because you had studied the machines for this purpose?

Re: Re: Where's the line?

Card counting is illegal in Nevada, though Nevada is the only jurisdiction in the world that makes card counting illegal. It is considered a form of cheating, punishable by up to 6 years in jail and $10,000 in fines, like any other form of cheating, if they can prove you were counting cards.

Re: Re: Re: Where's the line?

> Card counting is illegal in Nevada, though Nevada is the
> only jurisdiction in the world that makes card counting illegal.

It most certainly is not illegal. The Nevada Supreme Court ruled conclusively that a player who uses nothing but his own innate ability, unassisted by technology or collaboration with others, cannot be prosecuted for cheating at a casino game.

Re: Re: Re: Re: Where's the line?

You cannot be prosecuted for unassisted card counting.

As long as you do it all in your head, and are not signalling the count to other players, it is 100% legal. You are not allowed to use a device to ASSIST you in counting. That's what's considered cheating, and that will get you prosecuted. Raising your bet because the count is high is not signalling other players. But say if you counted and sat in first base, and bet one denomination for high count, and a different one for low count (both small) and the other players were making their decisions based on that, that's cheating. Counting is legal when done only for yourself, and without using anything but your own head to track it.

But casinos are allowed to bar advantage players, whether they are cheating or not. Gambling is a privilege, not a right.

If someone is making it big counting cards, it affects the casino's bottom line. Once they determine you are in fact advantage playing, and not just lucky, expect to get barred if you are costing them too much money. Advantage playing video poker (certain full pay games can be done) is just too slow a grind, and its' easy to make mistakes, so that's generally not bothered with. But if there was one with high enough stakes, it might be an issue.

Casinos very rarely bar non advantage players that aren't cheating, even if they are winning, because seeing people win makes other want to play, and lose. And if the player is barred, they can't lose their money back to the casino. Fairly often, lucky big winners end up loosing it ALL back if they don't take the money and run.

All these online gambling sites and a fair amount of betting sites are a scam. The lack of physical gambling in this area is really hurting thanks to this online explosion. I'd rather gamble in person and have a shot at taking home winnings, rather than gamble online with the knowledge I won't be able to cash out once the automatic website algorithim hits and I start mysteriously losing.

Helow

Can I simply just say what a relief to uncover a person that genuinely knows what they are talking about on the web. You actually know how to bring an issue to light and make it important. A lot more people need to read this and understand this side of your story. I was surprised that you're not more popular because you surely have the gift.Sbobet

Your post was really informative and very insightful about the online casino websites. I am very glad to read the content of this post in which you wrote how to begin playing casino games for the first time in the websites. I am sure it will help out many newcomers and here I would also like to introduce everyone to my brilliant online casino website where all the players can take advantage of exciting bonuses and play for profitable jackpots.